[rbldnsd] I HATE BIND - please help

Michael Tokarev mjt at tls.msk.ru
Sun Mar 2 23:50:21 MSK 2008 

Chris. wrote:
[]
> FWIW both the working, and non-working installs were on BSD/OS (FreeBSD).

Ok.

> FWIW both installs declared only localhost at 127.0.0.1 in their hosts file.
Irrelevant -- DNS internally works by using IP addresses only,
never looking into hosts file.

> FWIW both installs used only 1 (one) Internet Routable IP address on the RBLDNS commandline.
Irrelevant - 1, 10, 100 - makes no difference.

> FWIW nospammers.COM, and nospammers.NET each have a different, and valid internet routable
> addresses. Both names are fictitious in this dialog, as I'm not ready to announce them
> until I have a working, and stable RBLDNSD install. I hope that's understandable. :)

By the way, you can have as many IP addresses for a domain [name] as you wish,
including 0.  The opposite is true as well - as many domain names can live on a
single IP address as necessary.

> FWIW other than the FQDN, and IP addresses, the only difference between the 2 installs
> is the version of BSD, and the version of the BIND.

So this brings up my first question - the inability to bind to loopback
other than 127.0.0.1.  I'm not an expert in FreeBSD, so it's not my game.
Maybe it's version dependent, maybe some local settings or compile-time
flag - I've no idea.  The thing is that one of your systems allows to bind
to any 127.x.x.x address freely, while another does not.

Note it's not rbldnsd who refuses to bind to 127.0.0.3 etc, it's the Operating
System who does not permit it to do so.

If you don't believe me, try the following perl program:

--------- cut -------------
#! /usr/bin/perl -W
use Socket;
socket(H, PF_INET, SOCK_DGRAM, 0) or die "socket: $!";
my $sin = sockaddr_in(1053, inet_aton($ARGV[0] || "127.0.0.3"));
bind(H, $sin) or die "bind: $!";
print "success!\n";
--------- cut -------------

run it on your "working" machine (which allows to bind to non-127.0.0.1
addresses) and on your "non-working" machine.  Try without starting
bind and/or rbldnsd or anything else (except network, obviously) -
it does not matter which version of bind you're running.

Yet again: this issue (rbldnsd is unable to bind to 127.0.0.3 etc)
is a completely separate issue, unrelated to any other.  You already
worked around it(*) by using your PRIP instead of loopback range.

> FWIW I realize that the thread has obscured my original post which included my detailed
> (and working) config/setup. If you wish me to repeat it, I would be more than happy
> to reproduce it here. Also, if there is anything else required/desired to assist you,
> please let me know, as I will be happy to oblige. ;)

I just re-read your original message.  And to be fair, I don't see a
question in it which I can answer...  You describe your working setup
in full details, next you describe some other setup you want to achieve
(which is different from your current setup, but by very small details),
and next you ask if someone has a recipe...  But you already gave a
recipe in your working setup, which needs only few changes to adopt.

> FWIW I'm confident that this is a resolvable problem. As such, I have begun creating

They all definitely ARE solvable problems.  Let's start hunting them
one-by-one.

> a web interface to the RBLDNSD lists which can be manipulated from a web browser,
> and stored in a DB. Hope this helps.

Heh.  Maybe - I for one hate web interfaces ;)

> OH. One more thing. It might be worth noting that there is a bug in the 9.4 BIND
> related to name resolution (gethostbyname as I recall). This may be the difference,
> which may require some sort of kludge to work around - see; may be the trouble.

bind does not use gethostbyname() library routine.
Regardless, it's not the bug to worry about in our case.

> Thank you again for taking the time to respond. Please do not trouble yourself
> until you are feeling better. I will be more than happy to wait until then. :)

Yes I'm *much* better now.  When I wrote first reply to you, I had temp of 38.4C -
it was a flu (grippe as we call it here).  Now I'm back to normal again.

Ok, back to our horses/sheeps/whatever.

 From this thread I gavered the following your problems so far:

1) bind to loopback but non-127.0.0.1 address.  See above.  It's your job to
   find what's going on here, or ask on freebsd list(s) - again, you know
   better than me here.

2)
Duplicating my previous /working/ setup on the new server, /ALWAYS/
  1204196045 <internet IP here> 165.193.171.124.blackhole.nospammers.NET A IN: REFUSED/0/61

this means (provided you don't have any fancy stuff like acl enabled in
rbldnsd) that it knows nothing about blackhole.nospammers.NET zone. and
as such it just refuses to answer you.  Show the command line and actual
domain name, or just check they match your expectations.  For example:

  rbldnsd ... f00.com:ip4set:data

and query it as

  dig 1.2.3.4.foo.com ...

it will return REFUSED, see why already? :)

So, configure your system to allow binding to 127.0.0.2etc, bind
rbldnsd somewhere there TO PORT 53 (standard DNS port), and use dig
(or whatever) to query rbldnsd directly first.  Only after do the
next step and debug it all correctly.  By the way, you can try
dnsget utility from http://www.corpit.ru/mjt/udns.html -- it matches
`host' utility from BIND and allows to specify port too (maybe dig
has 'port' option as well? I don't remember).

3) problem spotted by furio ercolessi (well spotted!) --

 >> # dig @my.internet.routable.IP 2.0.0.127.blackhole.nospammers.NET
 >> or:
 >> # dig @my.internet.routable.IP 3.0.0.127.blackhole.nospammers.NET
...
 >> The RBLDNSD logs all return:
 >> 1204196617 111.222.333.444 999.888.777.666.blackhole.nospammers.COM A IN: REFUSED/0/61

this *smells* like that f00.com vs foo.com above!


The rest.  Well.

You're making.. strange conclusions.  Seriously.  Just this sequence:

"..no matter how I query... rbldnsd writes "REFUSED" into log.. it's
probably due to the fact that it refuses to bind to 127.0.0.2.. Only
bind is different on the 2 machines, from which I conclude that rbldnsd
is incompatible with some later version of bind".

It's a set of 3 completely unrelated issues.  Yet you managed to glue
them all together and make it so one is due to another.  It's.. fantastic!

I don't want to offend you, not at all.  This is really interesting -
I recall some very good politics, usually "big" politics, are able to
do such things.  (Remember that today was President Elections day here
in Russia ;)


Oh-oh.  This reply was much longer than previous - it is even
longer than your original message! ;)

Something like that, anyway... ;)

/mjt

More information about the rbldnsd mailing list